Azure News 2017 – Week 38

Post navigation

AAD Managed Service Identity, B-Series burstable VMs & Web App for Containers and Azure App Service on Linux are all part of Azure News this week playing catch-up from the last two weeks, bundled in together through here. All on the Need to Know podcast.

Introducing Azure AD Managed Service Identity

A common challenge in cloud development is managing the credentials used to authenticate to cloud services and keeping credentials out of code, but not anymore, Azure Active Directory Managed Service Identity (MSI) preview helps. MSI gives your code an automatically managed identity for authentication to Azure services, so that credentials are kept out of code.

What is Managed Service Identity?

Your code needs credentials to authenticate to cloud services, but you want to block the visibility of those credentials as much as possible. Azure Key Vault {could} store credentials securely so they aren’t in your code, but to retrieve them you need to authenticate to Azure Key Vault and you need a credential, a classic bootstrap problem.

However, with the magic of Azure and Azure AD, MSI provides a “bootstrap identity”.

When you enable MSI for an Azure service like Virtual Machines, App Service, or Functions, Azure creates a Service Principal for the instance of the service in Azure AD and injects the credentials (client ID and certificate) for the Service Principal into the instance of the service.

Introducing Azure confidential computing

Microsoft Azure is the first cloud to offer new data security capabilities with a collection of features and services called Azure confidential computing. Confidential computing offers protection that previously has been missing from public clouds, encryption of data while in use. This means that data can be processed in the cloud with the assurance that it is always under customer control.

Data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data

Malicious insiders with administrative privilege or direct access to hardware on which it is being processed

Hackers and malware that exploit bugs in the operating system, application, or hypervisor

With Azure confidential computing, your data in Azure will be safe in transit and at rest,however, when data is “in the clear,” which is required for efficient processing, the data is protected inside a Trusted Execution Environment (TEE – also known as an enclave). TEEs ensure there is no way to view data or the operations inside from the outside, and if the code is altered or tampered, the operations are denied and the environment is disabled.

Microsoft are announcing the use of confidential computing for Azure SQL Database and SQL Server.

You can try out Azure confidential computing through the Early Access program..

Introducing B-Series, our new burstable VM size

There is now the preview of the B-Series Azure Virtual Machines, a new Azure VM family that provides the lowest cost of any existing size with flexible CPU usage. For some web servers or some other such environments, the CPU performance can be very bursty. These workloads will run for a long time using a small fraction of the CPU performance possible and then spike to needing the full power of the CPU due to incoming traffic or required work.

With Azure’s current VM sizes, while running in these low points, you are still paying for the full CPU, just so that you can handle the high and bursty points.

The B-Series offers a cost effective way to deploy these workloads that do not need the full performance of the CPU continuously and to accommodate the bursts. While B-Series VMs are running in low resource utilisation, your VM instance builds up credits. When the VM has accumulated enough credit, as the usage demand increases, the resource utilisation can happy burst up to 100% of the vCPU.

These VM sizes allow you to pay and burst as needed, (using Intel® Haswell 2.4 GHz E5-2673 v3 processors or better). This level control gives you extreme cost flexibility and flexible value.

As an example, the B VM family, Standard_B8ms has 8 CPUs with 135% baseline performance shared across all of the 8 CPUs. If your application leverages 4 of the 8 cores working on batch processing and each of those 4 CPUs are running at 30% utilisation, you are only using half of the total amount of CPUs, so effectively only 15% utilisation calculated out across all the CPUs, so the total amount of VM CPU performance left over would be 120%. Meaning that your VM would be building credit time based on the 15% delta of the baseline performance. It means that when you have credits available, with this same VM you can use 100% of all 8 CPUs giving you a Max CPU performance of 800%.

Saving millions by fine-tuning Microsoft Azure usage

A guy called Rick who works in Microsoft Core Services Engineering (formerly Microsoft IT), focuses on cloud adoption and cost optimisation and is one of many engineers who have been part of the very large transformation of re-inventing Microsoft’s IT systems and creating new ways to solve problems. As they’ve migrated and rebuilt the bulk of their systems on cloud platforms, the focus somewhat changes and they had to reinvent how to efficiently manage their cloud infrastructure, which equates to saving millions of dollars!!!

Challenger Sales Methodology

A common sales technique which CEB Global came up with in which many IT companies use, is this Challenger Sales Methodology.

Here are the highlights:

The buying experience is the biggest driver of customer loyalty

Your ability to offer unique and valuable perspectives on the customers market

Help customers navigate alternatives

Help customers avoid potential risks

Educate customers on new issues and outcomes

How you use the customer’s time, teaching and helping them through their complex buying process

Unlike other approaches which seek to understand what customers are trying to solve and map products and solutions to customer needs, Challengers develop a perspective on a specific issue and teach their customers on how to think differently about their own business

Rather than leading with products or solutions, a challenger leads with where they see the customer has missed an opportunity or is losing money

Challengers create a case for change by discussing the true cost of the customer’s in-action.

Only at the very end, does the Challenger’s unique solution come into play.

Web App for Containers and Azure App Service on Linux

Recently announced is the general availability of Azure App Service on Linux and Web App for Containers.

Azure App Service on Linux (Web App with built-in images)

The built-in image option running on Linux is an extension of a current Azure App Service offering, catering to developers who want to use FTP or GIT, deploy .NET Core, Node, PHP or Ruby applications to Azure App Service running on Linux. This is a vanilla App Service scenario powered by Linux OS.

Web App for Containers

Web App for Containers is catered more towards developers who want to have more control over, not just the code, but also the different packages, runtime framework, tooling etc. that are installed on their containers. This allows developers to just focus on composing their containers without worrying about managing and maintaining an underlying container orchestrator. The Web App for Containers feature is based on Docker containers.

Azure IoT Device Provisioning

In other Azure news, Microsoft this week announced a preview of its Azure IoT Hub Device Provisioning Service. It’s now available in Azure regions “East US, West Europe, and Southeast Asia.”

The service is designed to automate the provisioning of Internet of Things devices, avoiding the tedium of having to manually process them. With the Internet of Things, organizations may be tasked with putting connection credentials on each of millions of devices.

The devices should really have hardware security modules in place to store security keys. However, the provisioning service can still be used with devices lacking them. A Windows TPM [trusted platform module] simulator can be used instead.